我知道我可以将整个入口对象的IP列入白名单,但是有没有一种方法可以将单个路径的IP列入白名单?例如,如果我只想允许从/admin访问10.0.0.0/16?
ingress.yml:
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
#nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /
backend:
serviceName: frontend
servicePort: 80
- path: /api
backend:
serviceName: api
servicePort: 8000
- path: /admin
backend:
serviceName: api
servicePort: 8000
- path: /staticfiles
backend:
serviceName: api
servicePort: 80
答案 0 :(得分:1)
您可以尝试按部分划分入口。我创建了两个都具有差异的入口。路径,您可以更改列入白名单的IP
1 :
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
#nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /
backend:
serviceName: frontend
servicePort: 80
2 :
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
#nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /
backend:
serviceName: frontend-two
servicePort: 80
答案 1 :(得分:0)
如果您想将其拆分为两个Ingre,则如下所示。第Ingress个具有/admin路径和注释,第二个Ingress与任何paths允许的其他IP。
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend-admin
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /admin
backend:
serviceName: api
servicePort: 8000
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: frontend-all
namespace: default
labels:
app: frontend
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- frontend.example.com
secretName: frontend-tls
rules:
- host: frontend.example.com
http:
paths:
- path: /
backend:
serviceName: frontend
servicePort: 80
- path: /api
backend:
serviceName: api
servicePort: 8000
- path: /staticfiles
backend:
serviceName: api
servicePort: 80
请记住,注释nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"将覆盖您的某些配置。如Nginx docs中所述:
向Ingress规则添加注释会覆盖所有全局限制。
另一种选择是使用ConfigMap whitelist-source-range。就像this example中提到的那样,您可以使用ngx_http_access_module。
与Nginx配置一样,每个path被另存为
location / {
...
}
location /api {
...
}
您可以在此处添加这些限制。下面的例子:
location / {
deny 192.168.1.1;
allow 192.168.1.0/24;
allow 10.1.1.0/16;
allow 2001:0db8::/32;
deny all;
}
答案 2 :(得分:0)
您解决了问题吗?我无法从上一个答案中弄清楚如何使用此选项
另一个选择是使用ConfigMap白名单-源范围。喜欢 在此示例中提到,您可以使用ngx_http_access_module
请提供示例吗?
划分为多个入口-在某些情况下非常不适合=(
我刚刚找到了另一个解决方案(但我认为先前答案的解决方案更漂亮): 您可以使用注释 nginx.ingress.kubernetes.io/server-snippet 进行书写,就像直接在nginx.conf中